weak key-iv pairs in the a5/1 stream cipher - crpitcrpit.com/confpapers/crpitv149alhamdan.pdf ·...

Weak key-IV Pairs in the A5/1 Stream Cipher

Ali Alhamdan Harry Bartlett Ed Dawson Leonie SimpsonKenneth Koon-Ho Wong

Institute for Future EnvironmentsScience and Engineering Faculty

Queensland University of TechnologyBrisbane, Australia

Email: [email protected], {h.bartlett, lr.simpson, e.dawson, kk.wong}@qut.edu.au

Abstract

A5/1 is a shift register based stream cipher which pro-vides privacy for the GSM system. In this paper, weanalyse the loading of the secret key and IV duringthe initialisation process of A5/1. We demonstratethe existence of weak key-IV pairs in the A5/1 ci-pher due to this loading process; these weak key-IVpairs may generate one, two or three registers con-taining all-zero values, which may lead in turn toweak keystream sequences. In the case where twoor three registers contain only zeros, we describe adistinguisher which leads to a complete decryption ofthe affected messages.

keywords: A5/1, initialisation process, loadingphase, weak key-IV pairs, ciphertext only attack,stream cipher.

1 Introduction

The privacy of mobile telephone communications isprotected by the A5/1 stream cipher. The approxi-mate design of A5/1 was leaked in 1994 and the ex-act design revealed in 1999, when it was reverse en-gineered by Briceno (Briceno et al. 1999). A5/1 isa bit-based stream cipher that takes a 64-bit secretkey and a 22-bit initialisation vector (IV), the framenumber, as inputs into the 64-bit internal state. Theinternal state of this cipher is contained in three linearfeedback shift registers (LFSRs).

Most recent stream cipher proposals require an ini-tialisation process as an essential part of the cipher’sspecification. During the initialisation process, a se-cret key, k, and an IV, v, are loaded into the internalstate. This loaded state is then processed to diffuse kand v across the internal state before keystream gen-eration occurs. A good initialisation process shouldensure that keystreams formed from the same key butdifferent IVs do not reveal information about the se-cret key and can not be used to facilitate any attack.

It is sometimes possible to find key-IV pairs thatresult in one or more registers containing only zerosat the end of the loading and diffusion phases of theinitialisation process (Zhang & Wang 2009). We referto key-IV pairs that generate one or more registerscontaining all-zeros at the end of the loading phaseas weak key-IV pairs.

Copyright c© 2014, Australian Computer Society, Inc. Thispaper appeared at the Australasian Information Security Con-ference (ACSW-AISC 2014), Auckland, New Zealand, January2014. Conferences in Research and Practice in InformationTechnology (CRPIT), Vol. 149, Udaya Parampalli and IanWelch, Ed. Reproduction for academic, not-for-profit purposespermitted provided this text is included.

In A5/1, the key and IV are loaded by clocking theregisters and combining successive key and IV bitswith the usual register feedback; thus, the registers’feedback mechanism is not autonomous during thisprocess. For some non-zero key-IV combinations, thisresults in one or more of the registers containing onlyzeroes at the end of the loading phase.

In this paper, we establish conditions under whichsuch weak key-IV pairs exist for the A5/1 cipher. Weshow that if a weak key-IV pair results in two or threeof the registers containing all-zero values, then thegenerated keystream is easy to distinguish and thecipher is vulnerable to attack. Under these circum-stances, a ciphertext-only attack can be used to revealthe secret key and hence to decrypt the entire conver-sation.

This paper is organized as follows. Section 2 pro-vides a full description of the A5/1 stream cipherincluding the non-autonomous feedback mechanismduring the loading phase of the initialisation process.Section 3 provides a matrix representation for theoperation of an autonomous LFSR and adapts thistechnique to a non-autonomous LFSR as used in theloading phase of A5/1. This representation is usedin Section 4 to determine the conditions under whichone, two and three registers contain all-zero values.Section 5 presents a possible ciphertext-only attackprocedure to reveal the secret key in the cases wheretwo or three registers contain only zeros. Section 6concludes the paper.

2 Description of A5/1

A5/1 (Biryukov et al. 2001, Golic 1997) is a bit basedstream cipher which uses three binary LFSRs, de-noted A, B and C, with lengths of 19, 22 and 23bits respectively, giving a state size of 64 bits. EachLFSR has a primitive feedback polynomial. Let S de-note the internal state of A5/1 and let SA, SB and SCdenote the internal states for the component registersA, B and C respectively. Let sia,t denote the contents

of stage i of register A at time t, for 0 ≤ i ≤ 18, sib,tdenote the contents of stage i of register B at time t,for 0 ≤ i ≤ 21, sic,t denote the contents of stage i ofregister C at time t, for 0 ≤ i ≤ 22 respectively.

A secret key of 64 bits is used for each conversationand a 22-bit frame number is used as the IV for eachframe. Let ki denote the secret key for 0 ≤ i ≤ 63 andvi denote the IV for 0 ≤ i ≤ 21. The three registersare regularly clocked during loading of the key and IV(frame number), while a majority clocking mechanismis used for the diffusion phase and for keystream gen-eration. The use of majority clocking implicitly intro-duces nonlinearity to the keystream sequence. Thisis the only nonlinear operation performed.

Proceedings of the Twelfth Australasian Information Security Conference (AISC 2014), Auckland, New Zealand

23

To implement the majority clocking scheme, eachregister has a clocking tap: stages s8a,t, s

10b,t and s10c,t.

The contents of these stages determine which regis-ters will be clocked at the next iteration: those reg-isters for which the clock control bits agree with themajority value are clocked. For example, if s8a,t = 0,

s10b,t = 1 and s10c,t = 0, then the majority value is 0and registers A and C are clocked. Thus, either twoor three registers are clocked at each step. Figure 1shows a pictorial diagram of the A5/1 stream cipher.

Clocking tap

Clocking tap

Clocking tap

Register A

Register B

Register C

Figure 1: A5/1 Stream cipher.

2.1 Initialisation process

The initialisation process is conducted in two phasesas follows.

2.1.1 Loading phase

At the beginning, all stages of the three registers areset to zero. Each LFSR is regularly clocked 64 timesas each key bit, ki, is XORed with the register feed-back to form the new value of stage s0. Following this,each register is regularly clocked 22 times as the IVis loaded in the same manner (Biryukov et al. 2001).At the end of the loading phase, the register contentsform the loaded state. Note that the state updatefunction during the loading phase is entirely linear.That is, the contents of each stage in each registercomprise a linear combination of key and IV bits.

2.1.2 Diffusion phase

The diffusion phase involves performing 100 iterationsof the initialisation state update function using themajority clocking scheme. During this phase, no out-put is produced. At the end of diffusion phase thecipher is in its initial state and is ready for keystreamgeneration.

2.2 Keystream Generation

Keystream generation comprises 228 iterations usingthe same majority clocking rule used during the dif-fusion phase. In each iteration, the keystream bit isobtained by XORing the output bit of the three reg-isters. That is, zt = s18a,t ⊕ s21b,t ⊕ s22c,t.

A conversation between two parties A and B issent as a series of frames, each of 4.6 milliseconds du-ration. Each frame uses 228 bits of keystream: 114bits to communicate from A to B and another 114 bitsto communicate from B to A. All frames within a con-versation are encrypted using the same key, with theframe number being used as the initialisation vector;thus, successive frames use the same key and consec-utive IVs for their encryption.

2.3 Origin of Weak Key-IV Pairs

During the loading phase, the LFSRs in A5/1 have anon-autonomous feedback mechanism, since the valueof the new bit of each LFSR during this phase de-pends on both the feedback bit and an external value(either the key or IV bit). However, the LFSRs op-erate or clock independently as the regular clockingmechanism is used during this phase. Because of thenon-autonomous feedback, non-zero key-IV pairs mayresult in an all-zero loaded state for one or more ofthe registers.

During the diffusion phase and keystream genera-tion process, the LFSRs of A5/1 have an autonomousfeedback mechanism, as there is no direct external in-put to the LFSRs. However, the LFSRs operate de-pendently during these processes, since each LFSR isclocked using the majority clocking rule and dependson the values of clocking bits of other LFSRs.

As noted, the non-autonomous feedback mecha-nism during the loading phase implies that one ormore of the LFSRs may contain all-zeros at the endof this phase, since a non-zero LFSR state is onlyguaranteed if the LFSR uses autonomous feedbackfrom a non-zero starting point. On the other hand,the autonomous feedback during the diffusion andkeystream generation processes guarantees that anyLFSR which contained all-zeros at the end of theloading phase will remain in that state. (Althoughthe individual bits are clocked through the LFSR, thefeedback bit is always zero, so the register continuesto contain only zeros.)

At the end of the initialisation process, if twoor three LFSRs contain all-zero values, then thekeystream generated following this specific initialisa-tion will be constant, consisting entirely of zeros orentirely of ones. This flaw results in sending a mes-sage as either clear text if the keystream is zeros, oras the complement of the plaintext if the keystreamis all ones. Clearly this is not a desirable outcome.In the case of one LFSR containing all-zero values,the effective size of the state space is reduced butthe keystream appears to remain random (see Sec-tion 4.3).

3 Analysis of the Loading Phase

As the operation of the LFSRs during the loadingphase is linear, it can easily be represented in termsof matrix operations. An analysis of the matrices in-volved then enables us to identify the conditions un-der which a weak key-IV pair can occur.

The autonomous operation of each LFSR can bedescribed in terms of a matrix equation (Lidl &Niederreiter 1997) as follows. Suppose that the stagesof the LFSR are denoted as s0, s1, . . . sd, the updatecoefficients are c0, c1, . . . cd and that the update func-tion can be represented as

s0t+1 = c0s0t ⊕ c1s1t ⊕ . . . cdsdt

sjt+1 = sj−1t 1 ≤ j ≤ d

Putting St = [s0 s1 . . . sd]ᵀ, the LFSR update(clocking) operation can be represented by the equiv-alent matrix equation

CRPIT Volume 149 - Information Security 2014

24

St+1 = TSt where T =

c0 c1 . . . . . . cd−1 cd1 0 . . . . . . 0 00 1 . . . . . . 0 0...

.... . .

. . ....

...0 0 . . . . . . 0 00 0 . . . . . . 1 0

is the state transition matrix of the LFSR.

During the loading of the key into the LFSR, theLFSR state update function is given by

St+1 = TSt ⊕ σkt (1)

where σ = [1 0 . . . 0]ᵀ indicates that the new key bitis XORed into the feedback of the LFSR. If we taket = τ to indicate the LFSR state before loading com-mences and iterate this process several times, fromt = τ to t = τ + l (where l denotes the key length),we have

Sτ+1 = TSτ ⊕ σk0Sτ+2 = T (TSτ ⊕ σk0)⊕ σk1 = T 2Sτ ⊕ Tσk0 ⊕ σk1

...

Sτ+l = T lSτ ⊕ T l−1σk0 ⊕ T l−2σk1 ⊕ . . .⊕ Tσkl−2

⊕ σkl−1

= T lSτ ⊕NK

where N = [T l−1σ T l−2σ . . . Tσ σ] and K =[k0 k1 . . . kl−2 kl−1]ᵀ.

The above analysis can be extended easily to casessuch as A5/1, which have three LFSRs, by denotingthe states of the three LFSRs as SA, SB and SC , theirstate transition matrices as TA, TB and TC , their σmatrices as σA, σB and σc and defining the statetransition matrix of the combined system in matrixblock form as

T =

TA 0 00 TB 00 0 TC

acting on

[SASBSC

]

Likewise, denoting the σ and N matrices of eachLFSR as σA, σB , σC and NA, NB , NC , the combinedσ and N matrices for the whole system can be definedas

σ =

σA

σB

σC

and N =

NA

NB

NC

With these modifications, the equation above, Sτ+l =T lSτ ⊕ NK, is also valid for the combined system.Noting that Sτ = [0 0 . . . 0]ᵀ for the LFSRs of A5/1,this equation reduces to Sτ = NK.

A similar analysis can also be undertaken for load-ing the IV bits into the LFSRs. For a 64-bit key anda 22-bit IV, we have

Sτ+64 = NK

Sτ+86 = T 22NK ⊕MV (2)

where M = [T 21σ T 20σ . . . Tσ σ] and V =[v0 v1 . . . v20 v21]ᵀ.

Now set τ = −86, so that S0 represents theloaded state of the system, and consider the be-haviour of the loading phase of A5/1. The termsT 22NK and MV are XORed together. So, theycan be represented by concatenating T 22N and Mand multiplying by a new vector KV , where KV =[k0 k1 . . . k62 k63 v0 v1 . . . v20 v21]ᵀ as follows

S0 = [T 22N ||M ]KV (3)

We can apply Equation 2 to each LFSR of A5/1.Let SA, TA, NA and MA represent the required ma-trices for LFSR A. Similarly, matrices can be writtenfor LFSRs B and C as follows SB , TB , NB , MB andSC , TC , NC , MC respectively. The new equations foreach LFSR can be written as follows:

SA,τ+86 = T 22A NAK ⊕MAV

SB,τ+86 = T 22B NBK ⊕MBV

SC,τ+86 = T 22C NCK ⊕MCV

Now, we apply Equation 3 to each LFSR of A5/1,the equations are as follows:

SA,0 = [T 22A NA||MA]KV

SB,0 = [T 22B NB ||MB ]KV

SC,0 = [T 22C NC ||MC ]KV

4 Findings and Results

This analysis investigates the effect on the security ofthe A5/1 cipher when the loading phase results in aloaded state with one or more LFSRs containing all-zero values. We call any of these states a weak loadedstate. As discussed in Section 2.3, if the contents ofany LFSR is all-zeros after the loading phase, it willremain so for the whole of the diffusion and keystreamgeneration phases, since the LFSR has no externalinput during these phases. Thus, the LFSR contentswill not be changed until the cipher is re-initialised toencrypt the next frame in the conversation.

The total size of the secret key and IV for A5/1 is64 + 22 = 86 bits, which exceeds the 64-bit state size.In addition, the state-update function is linear duringthe loading phase. From this, it follows that there are222 weak key-IV pairs corresponding to each possibleweak loaded state. In fact, each pair comprises ex-actly one of the 222 possible IVs and a correspondingkey.

To investigate the effects of weak loaded states, weconsider three scenarios: three LFSRs contain all-zerovalues, two LFSRs contain all-zero values and oneLFSR contains all-zero values, as discussed later. Foreach scenario, we identify the relationships betweenkey and IV bits that correspond to the weak key-IVcombinations.

4.1 Three LFSRs all Zeros

This section focuses on the scenario where all threeLFSRs contain all-zero values after completing theloading phase. These three LFSRs will be clockedand produce all zero output bits continuously untilthe next rekeying. Thus the keystream bits obtainedby XORing these three outputs will also be zeros.

From Equation 3, the loaded contents of thesethree LFSRs are expressed in the three termsT 22A NA||MA, T 22

B NB ||MB and T 22C NC ||MC . We


25

Table 1: Weak key-IV example: three all-zero LFSRs

key0010000000100000100111001101110110000001001101111001000000100011

IV 1110000000000000000000

loadedstate

A 0000000000000000000B 0000000000000000000000C 00000000000000000000000

initialstate

A 0000000000000000000B 0000000000000000000000C 00000000000000000000000

Keystream 0x000000000000000000000000000000000000000000000000000000000

start with assuming these three terms (T 22A NA||MA,

T 22B NB ||MB , T 22

C NC ||MC) are equal to all-zeros andanalyse the resulting system of equations using Gaus-sian Elimination. This process generates the relation-ship between key and IV bits that result in all threeLFSRs containing only zeros. We have 64 equationswith 86 variables, and hence 22 variables can be cho-sen freely.

In particular, we may choose the IV bits (v0, v1 tov21) freely and use these to determine the correspond-ing 64-bit secret key that will result in all three regis-ters containing all-zeros. The 22 free IV bits specifythe 64 key bits according to the system of equationspresented in Appendix A. By choosing all possiblevalues of the 22 free IV bits, we see that the totalnumber of weak key-IV pairs of this type is 222 andthe probability that a randomly chosen key-IV pairsatisfies these equations is 2−64.

As each of these pairs corresponds to a single IVand an associated key, the probability that a ran-domly chosen key belongs to a weak pair of this type is222/264 = 2−42. Since each conversation is encryptedwith a single key, this is equivalent to stating thatthe probability of a single (randomly chosen) conver-sation being encrypted with one of these keys is also2−42.

Now consider a conversation encrypted with a keywhich belongs to one of these weak key-IV pairs. Ifthe conversation contains N frames, there is a furtherprobability of N/222 that the IV from this weak pairhas been used to encrypt one of these frames. There-fore, there is an overall probability of N×2−64 that arandomly chosen conversation contains a frame thathas been encrypted with a weak key-IV pair of thissort.

Based on this analysis, Table 1 shows an exampleof a weak key-IV pair that produces a fixed all-zerokeystream. The keystream is presented in hexadeci-mal notation, to save space. As expected, the threeLFSRs A, B and C contain all-zero values after per-forming the loading phase.

4.2 Two LFSRs all Zeros

This section focuses on the scenario in which two LF-SRs contain all-zero values after performing the load-ing phase. As the clocking stage in each of these twoLFSRs will contain a zero, the majority value willbe zero. Hence, these two LFSRs will be clocked ev-ery time; however, the contents of these two LFSRswill remain all-zeros. The third LFSR will be clockedonly until the content of its clocking stage has value“1”. Since the diffusion phase consists of 100 clockingsteps before producing any keystream bits, this pro-

cess will ensure that the third LFSR will be in a fixedstate before the keystream generation begins.

The keystream bit z is obtained by XORing thecontents of the final stage of each LFSR: s18a , s21b ands22c for LFSRs A, B and C respectively, since zt =s18a,t⊕s21b,t⊕s22c,t. The final stage of the non-zero LFSRwill be fixed, and could contain either 0 or 1, whilethe final stages of the other two LFSRs contain zeros.The value in this stage of the fixed register is thevalue of the key stream bit. Thus the keystream hasconstant value for the entire frame.

Using the equations developed in Section 3, we canrelate the contents of the three LFSRs after the load-ing phase to the key and IV bits that were loadedinto these LFSRs. From Equation 3, the behaviourof these three LFSRs is expressed in the three termsT 22A NA||MA, T 22

B NB ||MB and T 22C NC ||MC . Our

analysis is conducted under the assumption that weare looking for two LFSRs which have zero content ineach stage of these two LFSRs after performing theloading phase, as shown in the three cases:

Case 1 LFSRs A and B have zero content

Case 2 LFSRs A and C have zero content

Case 3 LFSRs B and C have zero content

Note in passing that the scenario where all threeLFSRs contain all-zero values is the conjunction ofthese three cases.

As before, we start with the terms (T 22A NA||MA,

T 22B NB ||MB), (T 22

A NA ||MA, T 22C NC ||MC) and

(T 22B NB ||MB , T 22

C NC ||MC). Setting each term equalto all-zeros and applying Gaussian Elimination willgive us the conditions and relationships between keyand IV bits that apply to these weak key-IV pairs.For the three cases, we have 41, 42, 45 equations re-spectively with 86 variables, and hence 45, 44 and 41variables can be chosen freely.

Conditions and probabilities of the weak key-IVcombinations depend on the number of available freebits. Table 2 shows the number of key and IV freebits that must be chosen to form a 64-bit secret keythat results in a weak key-IV pair of each type. All ofthese weak key-IV pairs result in two all-zero LFSRsand produce fixed keystream for the entire frame.

Table 2: Number of free bits for weak key-IV of each case fortwo LFSRs all-zero

cases 1 2 3

key free bits 23 22 19Involved IV bits 22 22 22

Case 1: We consider first the case where LFSRsA and B both contain all-zeros. In this case, a 64-bit secret key can be determined from 23 free key bits(k41, k42, k43 to k63) and 22 IV bits (v0, v1 to v20, v21).These 45 bits specify the remaining 41 key bits usingthe system of equations in Appendix B. Therefore,by choosing all possible values for the 23 key free bitsand the 22 IV bits, the total number of weak key-IV pairs for Case 1 is 245 and the probability that arandomly chosen key-IV pair satisfies this system ofequations is 2−41. It can be shown that each weak pairfor Case 1 involves a unique key, so the probabilitythat a randomly chosen key belongs to a weak pair of


26

Table 3: Two examples of weak key-IV (Case 1)

key 0110100101000010100110111011101001001011011111111111111111111001

IV 1110000000000000000000

loadedstate

A 0000000000000000000B 0000000000000000000000C 11111110110010110111001

initialstate

A 0000000000000000000B 0000000000000000000000C 11111111011001011011100

Keystream 0x000000000000000000000000000000000000000000000000000000000

key 1000001000101110111010101011001101100110111111111111111111111001

IV 1100000000000000000000

loadedstate

A 0000000000000000000B 0000000000000000000000C 11101101110111110100111

initialstate

A 0000000000000000000B 0000000000000000000000C 01110110111011111010011

Keystream 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

this sort is 2−19 and the probability that a randomlychosen conversation ofN frames contains a frame thathas been encrypted with a Case 1 key-IV pair is 2−19×N/222 = N × 2−41.

Based on this analysis, Table 3 shows two exam-ples of Case 1 weak key-IV pairs that produce fixedkeystream (either zeros or ones). The keystream isagain presented in hex. Note that the bold and under-lined bits are the clocking control bits and the outputbits respectively of the LFSRs A, B and C. The twoLFSRs A and B contain all zeros after performing theloading phase due to the nonautonomous operation.In each exmple, the keystream bits are just repeatedcopies of the output bit of the LFSR C.

Case 2: We now consider the case where LFSRsA and C both contain all-zeros. As in the previouscases, it is possible to obtain a weak key-IV combi-nation for A5/1 from this condition. For Case 2, a64-bit secret key is formed from 22 key free bits (k42,k43 to k63) and 22 IV bits (v0, v1 to v21). These44 bits specify the remaining 42 key bits using thesystem of equations in Appendix B. Therefore, bychoosing all possible values for the 22 key free bitsand the 22 IV bits, the total number of weak key-IVfor Case 2 is 244 and the probability that a randomlychosen key-IV pair satisfies this system of equationsis 2−42. Each weak pair for Case 2 again involves aunique key, so the probability that a randomly chosenkey belongs to a weak pair of this sort is 2−20 and theprobability that a randomly chosen conversation of Nframes contains a frame that has been encrypted witha Case 2 key-IV pair is N × 2−42.

Based on this analysis, Table 4 shows two ex-amples of weak key-IV pairs that produce fixedkeystream (either zeros or ones). As before, thekeystream is presented in hex, the bold bits are theclocking taps and the underlined bits are the outputbits. The keystream bits in these examples have thesame value as the output bit of LFSR B.

Case 3: Consider finally the case where LFSRs Band C both contain all-zeros. For this case, a 64-bit


key 0101100010011111010111110101111001010101001111111111111110111001

IV 1110000000000000000000

loadedstate

A 0000000000000000000B 0101010101110110001000C 00000000000000000000000

initialstate

A 0000000000000000000B 0101010101110110001000C 00000000000000000000000

Keystream 0x000000000000000000000000000000000000000000000000000000000

key 0111111010110100000001110001110110001110101111111111111110111001

IV 1100000000000000000000

loadedstate

A 0000000000000000000B 0001101100100110101011C 00000000000000000000000

initialstate

A 0000000000000000000B 0001101100100110101011C 00000000000000000000000


secret key is formed from 19 key free bits (k45, k46to k63) and 22 IV bits (v0, v1 to v21). These 41 bitsspecify the remaining 45 key bits using the systemof equations in Appendix B. Therefore, by choosingall possible values for the 19 key free bits and the 22IV bits, the total number of weak key-IV for Case3 is 241 and the probability that a randomly chosenkey-IV pair satisfies these equations is 2−45. As forthe other cases, each weak pair for Case 3 involves aunique key, so the probability that a randomly chosenkey belongs to a weak pair of this sort is 2−23 and theprobability that a randomly chosen conversation of Nframes contains a frame that has been encrypted witha Case 3 key-IV pair is N × 2−45.

Based on this analysis, Table 5 shows two ex-amples of weak key-IV pairs that produce fixedkeystream (either zeros or ones). Once again, thekeystream is presented in hex, the bold bits are theclocking taps and the underlined bits are the outputbits. In these examples, the keystream bits have thesame value as the output bit of the LFSR A.

Collating the results above, the number of weakkey-IV combinations for Cases 1, 2 and 3 are 245, 244

and 241 respectively. Moreover, apart from the sce-nario with three all-zero registers, the resulting key-IV pairs are distinct. Therefore, the total numberof weak key-IV combinations, when two LFSRs areall-zero, is 245.64. Likewise, the probability that arandomly chosen key-IV pair satisfies the equationsfor any of these cases is found to be 2−40.36 and theprobability that a randomly chosen conversation of Nframes contains a frame that has been encrypted withany of these key-IV pairs is N × 2−40.36.

4.3 One LFSR all Zeros

It is possible to find that exactly one LFSR containsall-zero values after the loading phase. Whether thisLFSR is clocked or not during the keystream genera-tion, the contribution to the keystream bit from thisLFSR is zero. In this situation at least one of theother two LFSRs will be clocked. The value of the


27


key 1011100011000000100000011000111111010011111111111111110111111001

IV 1100000000000000000000

loadedstate

A 0100000100010000001B 0000000000000000000000C 00000000000000000000000

initialstate

A 1010000010001000000B 0000000000000000000000C 00000000000000000000000

Keystream 0x000000000000000000000000000000000000000000000000000000000

key 1010011010110011010110100000010110000010010011111111110111111001

IV 1111000000000000000000

loadedstate

A 1011100001111110100B 0000000000000000000000C 00000000000000000000000

initialstate

A 1100101110000111111B 0000000000000000000000C 00000000000000000000000


keystream bits actually depends only on the contentof the last bit of these other two LFSRs.

Once again, we use the equations developed inSection 3 to relate the contents of the three LF-SRs after the loading phase to the key and IV bitsthat were loaded into these LFSRs. From Equa-tion 3, the contents of the three LFSRs are ex-pressed in the three terms T 22

A NA||MA, T 22B NB ||MB

and T 22C NC ||MC . Our analysis is conducted under

the assumption that we are looking for a single LFSRwhich has all-zeros in its stages after performing theloading phase, as shown in the three cases:

Case 4 LFSR A contains all-zero values

Case 5 LFSR B contains all-zero values

Case 6 LFSR C contains all-zero values

The pairwise conjunctions of these cases are thethree cases from the scenario with two all-zero regis-ters (Section 4.2), while the triple conjunction is thescenario where all three LFSRs contain all-zero val-ues.

Equation 3 is analysed using Gaussian Elimina-tion (GE) to find the conditions mentioned above.We start by setting the term (T 22

A NA||MA) equal tozero to find the relationship between key and IV bits.This process is applied similarly for the other twoterms (T 22

B NB ||MB) and (T 22C NC ||MC). This process

generates the relationship between key and IV bitsthat result in an LFSR containing all-zero values af-ter performing the loading phase. For the three cases(4, 5 and 6), we have 19, 22, 23 equations respectively.For each case, there are 86 variables, and hence 67, 64and 63 variables can be chosen freely in the respectivecases.

The conditions and the probabilities of the weakkey-IVs depend on the number of free bits. Table 6shows the number of key and IV free bits that mustbe chosen to form a 64-bit secret key that results in aweak key-IV that results in one LFSR having all-zerovalues for the entire frame.

Table 6: Number of free bits for weak key-IV of each Casefor one LFSR all-zero

cases 4 5 6

key free bits 45 42 41Involved IV bits 22 22 22

Table 7: Example of weak key-IV (Case 4)

key 1001111011001000001111111111111111111110011111111111111111111001

IV 1110000000000000000000

loadedstate

A 0000000000000000000B 0100000111000111010100C 11010011010111101110110

initialstate

A 0000000000000000000B 1011101101100100100111C 11011011011011100110011

Keystream 0x507802ACC6711F53C436082322478AE8CB842631EA9CB9CC6869D6FCA

Case 4: For Case 4, a 64-bit secret key is formedfrom 45 key free bits (k19, k20 to k63) and 22 IV bits(v0, v1 to v21). These 67 bits specify the remaining19 key bits using the relevant system of equations.Therefore, by choosing all possible values for the 45and 22 free key and IV bits respectively, the totalnumber of weak key-IV pairs for Case 4 is 267 andthe probability that a randomly chosen key-IV pairsatisfies these equations is 2−19. In this case, each ofthe 264 possible keys belongs to exactly 8 Case 4 key-IV pairs. For any given key, the IVs in these pairs aredistributed almost regularly through the IV space, sothe probability that a randomly chosen conversationof N frames contains a frame that has been encryptedwith a Case 4 key-IV pair is N×2−19 for N ≤ 524043and rises to 1 for N ≥ 524339. (Note: 219 = 524288.)

Based on this analysis, Table 7 shows an exampleof a weak key-IV pair that results in LFSR A con-taining all-zero values until the next rekeying. Thekeystream is presented in hex and depends only onLFSRs B and C. LFSR A contains all-zero valuesafter performing the loading phase due to the nonau-tonomous feedback operation during that phase.

Case 5: For Case 5, a 64-bit secret key is formedfrom 42 key free bits (k22, k23 to k63) and 22 IV bits(v0, v1 to v21). These 64 key-IV bits specify the re-maining 22 key bits using the relevant system of equa-tions. Therefore, by choosing all possible values forthe 42 key free bits and the 22 IV free bits, the to-tal number of weak key-IV for Case 5 is 264 and theprobability that a randomly chosen key-IV pair satis-fies these equations is 2−22. Each of the 264 possiblekeys belongs to exactly one Case 5 key-IV pair andthe probability that a randomly chosen conversationof N frames contains a frame that has been encryptedwith a Case 5 key-IV pair is N × 2−22.

Based on this analysis, Table 8 shows an exampleof a weak key-IV pair that produces a keystream fromonly two effective LFSRs A and C. LFSR B containsall-zero values after performing the loading phase dueto the nonautonomous operation.


28

Table 8: Example of weak key-IV (Case 5)

key 1000010110000110010111111110111101111110011111111111111111111001

IV 1110100000000000000000

loadedstate

A 0001110101010110110B 0000000000000000000000C 01111000000000100101011

initialstate

A 0111101111111010110B 0000000000000000000000C 11011010101110111010111

Keystream 0x22832052674272A5FE39A39A530A861AD7672C4976B4B4EBE5A3C7413

Case 6: For Case 6, a 64-bit secret key is formedfrom 41 key free bits (k23, k24 to k63) and 22 IV bits(v0, v1 to v21). These 63 bits specify the remaining23 key bits using the relevant system of equations.Therefore, by choosing all possible values for the 41key free bits and the 22 IV free bits, the total numberof weak key-IV pairs for Case 6 is 263 and the prob-ability that a randomly chosen key-IV pair satisfiesthese equations is 2−23. Each weak pair for Case 6involves a unique key, so the probability that a ran-domly chosen key belongs to a weak pair of this sort isone-half and the probability that a randomly chosenconversation of N frames contains a frame that hasbeen encrypted with a Case 6 key-IV pair is N×2−23.

Based on this analysis, Table 9 shows an exampleof a weak key-IV pair that produces a keystream usingtwo effective LFSRs A and B. LFSR C contains all-zero values after performing the loading phase untilthe next rekeying due to the nonautonomous opera-tion during the loading phase.

Table 9: Examples of weak key-IV (Case 6)

key 0011110000100011100000111111111111111110011111111111111111111001

IV 1110000000000000000000

loadedstate

A 1001100111001111111B 1011111011111010101110C 00000000000000000000000

initialstate

A 0000101101110000000B 1000011100111100110000C 00000000000000000000000

Keystream 0x0F162408D5ACED21E25C9CD1B78E0E0A687BCE90F2643E52E99013206

Collating the results for this scenario, the numberof weak key-IV pairs for Cases 4, 5 and 6 are 267, 264

and 263 respectively. Therefore, the total number ofweak key-IV pairs that result in one LFSR of A5/1containing all-zeros is 267.25 and the probability thata randomly chosen key-IV pair satisfies the equationsfor any of these cases is 2−18.75. (The key-IV pairsfrom Cases 1, 2 and 3 are included among these, butform a negligible proportion (approximately 2−21.6) ofthis total.) Each of the 264 possible keys belongs to8 Case 4 key-IV pairs and one Case 5 pair, while halfof them belong to a Case 6 pair as well. Thus, everyconversation is encrypted with a key that belongs toeither 9 or 10 weak key-IV pairs from Cases 4, 5 or 6,and (for N � 219) the probability that a randomlychosen conversation ofN frames contains a frame that

has been encrypted with a weak pair of this sort isapproximately 9.5×N × 2−22 = N × 2−18.75. (For Napproaching 219, this probability rises to 1 for N ≥524339.)

Statistical analysis

In the scenarios where two or three registers containall-zero values, the keystream is constant and henceimmediately distinguishable, but this is not the casefor the scenario in which a single register containsall-zero values. On the other hand, the latter sce-nario potentially occurs in every conversation and itsprobability of occurrence in a conversation of mod-erate length is quite high, so it is worth investigat-ing whether the key-stream from this scenario canalso be distinguished from the key-stream obtainedwhen none of the registers contains all-zero values.The rest of the section therefore focuses on statisticalanalyses which might distinguish a keystream fromA5/1 that is generated by two LFSRs only (whilethe third LFSR contains all-zero values) from anotherkeystream generated by three LFSRs (in normal op-eration).

Gustafson (Gustafson 1996) described statisti-cal randomness tests of symmetric ciphers and theNational Institute of Standards and Technology(NIST) (Rukhin et al. 2010) gives 15 tests of the ran-domness of a given sequence of bits to measure thedegree of randomness of that given sequence of bits.

The most powerful tests are examined: Balance,Runs tests and Linear complexity. Balance test isalso referred as Frequency (Monobit) test in some ref-erences, and Uniformity test in others. Balance testmeasure the proportion of zeros and ones for an en-tire sequence. The number of zeros and ones for agiven sequence should meet the conditions of the ran-domness test, with probabilities P (0) = P (1) = 1

2 .The Runs test focuses on the total number of runsin a sequence. A run is an uninterrupted sequenceof a particular character, either zeros or ones. Lin-ear Complexity determines the smallest LFSR thatcan generate the whole keystream over the finite fieldFn2 using Berlekamp-Massey algorithm (Menezes et al.1996).

Keystream sequences are generated for differentscenarios of the targeted operation of the A5/1 cipheras follows

• None of the LFSRs A, B or C contain all-zerovalues (A, B and C all participate to form thekeystream bits)

• LFSR A contains all zeros (B and C participateto form the keystream bits)

• LFSR B contains all zeros (A and C participateto form the keystream bits)

• LFSR C contains all zeros (A and B participateto form the keystream bits)

For each scenario, we performed an experiment in-volving computer simulation. In each trial, we gener-ated 105 random loaded states using C library seededrandom function to generate a 228-bit keystream seg-ment (frame) from each loaded state. The Balanceand Runs test are applied for these generated frames.Figure 2 demonstrates the Balance test for each sce-nario. Table 10 shows the result of the Runs test.Figures 3 and 4 show the result of linear complex-ity of A5/1 for frame length 228 bits and 2000 bitsrespectively.


29

-‐1000

0

1000

2000

3000

4000

5000

6000

70 80 90 100 110 120 130 140 150

Num

ber of frams

Number of zeros

ABC BC AC AB

Figure 2: Result of the Balance test for zeros bits

0

20

40

60

80

100

120

0 50 100 150 200 250

Line

ar com

plexity

Keystream, n=228 bits

ABC

AB

AC

BC

Figure 3: Linear Complexity for keystream sequences, forn = 228 bits

0

200

400

600

800

1000

1200

0 500 1000 1500 2000 2500

Line

ar com

plexity

Keystream, n=2000 bits

ABC

AB

AC

BC

Figure 4: Linear Complexity for keystream sequences, forn = 2000 bits

From the above tests, the distributions of the re-spective patterns for all scenarios appear to be sim-ilar. It seems that a keystream generated from twonon-zero LFSRs (while the third LFSR contains all-zeros) can not be distinguished using Balance, Runsor linear complexity tests. Since we have not deter-mined a way to distinguish such a keystream, we willnot discuss further any method of attacking A5/1 inthis case.

5 Attack Procedure

Since A5/1 has a 64-bit key and a 64-bit internalstate, it is not feasible either to guess the inter-nal state and generate keystream or to guess thewhole secret key and generate keystream for any givenIV. However, if it is possible to identify that thekeystream used to encrypt a specific frame arose fromone of a reduced set of intial states with a known for-mat, this enables an attacker to reveal the secret key

Table 10: The average counts from the runs test for 4 sce-narios based on 105 randomly simulated states

Runs A,B,C B,C A,C A,B

1 57.471 57.504 57.509 57.4972 28.592 28.621 28.634 28.6213 14.255 14.261 14.237 14.2554 7.091 7.087 7.103 7.1155 3.532 3.523 3.532 3.5296 1.767 1.759 1.752 1.7567 0.874 0.875 0.872 0.8698 0.437 0.437 0.438 0.4379 0.219 0.216 0.217 0.21410 0.109 0.110 0.109 0.10811 0.053 0.055 0.054 0.05312 0.028 0.027 0.026 0.02713 0.013 0.014 0.013 0.01314 0.007 0.007 0.007 0.00715 0.003 0.003 0.003 0.00316 0.001 0.001 0.002 0.00117 0.0 0.001 0.001 0.00118 0.0 0.0 0.0 0.00119 0.0 0.0 0.0 0.020 0.0 0.0 0.0 0.021 0.0 0.0 0.0 0.022 0.0 0.0 0.0 0.023 0.0 0.0 0.0 0.024 0.0 0.0 0.0 0.025 0.0 0.0 0.0 0.0

with reduced complexity. In our case, the keystreamgenerated when two or three LFSRs contain all-zerosis immediately identifiable (since it either consists en-tirely of zeros or entirely of ones), so the occurrenceof these scenarios is likewise distinguishable and anattack can be mounted. Moreover, the redundancyof speech enables us to recognise these frames in aciphertext-only context, which is the least restrictivescenario for an attacker.

This section therefore presents a procedure foridentifying when a keystream sequence is either allzeros or all ones and attacking the cipher by findingthe corresponding secret key. This procedure coversall cases where two or three LFSRs contain only ze-ros, so it is not necessary to determine beforehandwhich two (or three) of the registers contain all-zeros.Note that the procedure focuses on finding the secretkey, rather than on decrypting an individual frameassuming the IV’s are known. Once the key is ob-tained, all other frames in the conversation can thenbe decrypted and the entire message recovered.

Attack Algorithm

The following algorithm is broken into two phases.The first phase is not guaranteed to succeed; however,if the first phase does succeed, the entire algorithmwill succeed and the entire message (conversation) wilbe recovered.

Phase 1 Given an encrypted conversation:

Step 1: Divide the encrypted speech (ciphertext)into separate frames. Each ciphertext frame cor-responds to one (known) IV.

Step 2: For each frame, check if either the frame or

its bitwise complement is intelligible. If so, pro-ceed to Phase 2.

This phase identifies any frames encrypted with akeystream sequence that is either all zeros or all ones.(If any encrypted frame is intelligible and seems tobe plaintext, this indicates that the keystream is allzeros, while if the complement of any encrypted frameis intelligible and seems to be plaintext, this indicatesthat the keystream is all ones.) If none of the framesin the conversation satisfy this test, the attack failsfor this conversation.

Phase 2 Given a frame identified in Phase 1

Step 1: For each of Cases 1, 2 and 3 in turn:

• Guess the free key bits in the relevant set ofequations from Appendix B.

• Use these guessed free key bits and theknown IV to calculate the remaining keybits using the relevant system of equations.

• Set the guessed and calculated key bits asthe current trial key.

• For any other frame in the conversation:

– Use the A5/1 algorithm to generatekeystream from the trial key and theIV of that frame.

– Try to decrypt the encrypted frame us-ing the generated keystream.∗ If the encrypted frame is decrypted

successfully, then the secret key hasbeen identified.∗ If not, repeat the process for an-

other guess.

Step 2: Once the secret key has been found, use thissecret key with the known IVs for each frame todecrypt the entire intercepted ciphertext.

This phase checks all potential weak keys until thecorrect one is found. Since the scenario with three all-zero registers is a special case of the scenario with twoall-zero registers, it will also be covered by this search.

Discussion and Attack Complexity : As men-tioned previously, the scenarios in which two or threeLFSRs contain all-zeros lead to a keystream which iseither all zeros or all ones. The corresponding framesof conversation are easily distinguishable, so we referto these as weak frames. When such a frame is ob-served, the whole conversation can be decrypted afterguessing and checking up to 223.64 possible keys toobtain the actual secret key. As discussed in Section4.2, the probability that a randomly chosen conver-sation of N frames contains a weak frame of this sortis N × 2−40.36.

Table 11 list some typical values of N for variouslengths of conversation, together with the correspond-ing probability that a weak frame will be observed ina conversation of that length. If we take 5 minutes asa common length of conversation, we see that roughlyone in 224.36 ≈ 21.5×106 conversations of this lengthcan be completely decrypted using this attack.

We have also examined the scenario in which onlyone register contains all-zero values. The keystreamgenerated under this scenario is not immediately dis-tinguishable, so we applied some common statisticalrandomness tests to see whether these would enablethis scenario to be distinguished. Although we havebeen unable to find a test that does so, this scenario

Table 11: Number of frames for various lengths of conversa-tion

No of Conversation Probability offrames time weak frame

214 1min 16sec 2−26.36

216 5min 2sec 2−24.36

218 20min 6sec 2−22.36

220 1h 21min 2−20.36

222 5h 22min 2−18.36

is of great interest as it potentially occurs in everyconversation and its probability of occurrence in aconversation of moderate length is quite high, risingto 1 for N just over 219 (equivalent to 40 minutesof conversation). Moreover, although the approxima-tion of N × 2−18.75 for this probability does not holdexactly as N approaches 219, it is clear that the prob-ability becomes alarmingly high (greater than 1 in 7)for conversations as short as 5 minutes in duration.On the other hand, an attack based on this scenariowould require guessing and checking of up to 245.25

possible keys in order to find the correct one for thatparticular conversation.

6 Conclusion

The non-autonomous feedback mechanism which ap-plies during the loading phase of A5/1 may result inweak key-IV pairs, where one or more of the LFSRscontain all zero values at the end of the loading phase.If this condition occurs, it is then maintained duringthe diffusion and keystream generation phases, poten-tially leading to a weak keystream.

This paper has considered three scenarios relatedto weak key-IV pairs in A5/1: all three LFSRsmay contain all-zero values, exactly two LFSRs maycontain all-zero values or a single LFSR may con-tain all-zero values. For a conversation containingN frames, the probabilities that the conversationincludes a frame satisfying these respective scenar-ios are N × 2−64, N × 2−40.36 and approximatelyN × 2−18.75.

When either of the first two scenarios occurs, thecorresponding frame is immediately distinguishable,as it contains either plaintext only or complementedplaintext only. Once such a frame has been identified,the secret key can easily be obtained and the entireconversation can then be decrypted.

We have presented a ciphertext-only attack whichexploits this weakness; the probability of a successfulattack on a five minute conversation is approximatelyone in 20 million and the complexity of a successfulattack is approximately 223.64. (Due to the distin-guishing nature of this attack, no calculations are re-quired in cases where the targeted scenario does notoccur. In particular, no pre-computation is required.)

The third scenario (when a single LFSR con-tains all-zeros) could potentially lead to a similar at-tack, provided the resulting keystream can be dis-tinguished. However, finding a distinguisher for thiskeystream remains an open problem for the moment.If such a distinguisher could be found, conversationsas short as 5 minutes in duration would be at high riskof attack, although the associated complexity wouldbe higher.

It should be noted that in the current specificationof A5/1, there is no pre-testing of the key-IV pair to


31

identify whether the pair is weak or not, nor is theloaded state checked to determine whether it satis-fies any of the above scenarios, but the keystream isused in any case. The weak loaded states arise due tothe non-autonomous feedback used during the loadingphase, so a completely different loading mechanismwould be required if the occurrence of such states isto be avoided. Alternatively, the loaded state couldbe checked each time the algorithm is re-initialisedand a suitable adjustment could be applied if it wasfound to be a weak state.

References

Biryukov, A., Shamir, A. & Wagner, D. (2001), RealTime Cryptanalysis of A5/1 on a PC, in G. Goos,J. Hartmanis, J. Leeuwen & B. Schneier, eds, ‘FastSoftware Encryption’, Vol. 1978 of Lecture Notesin Computer Science, Springer Berlin Heidelberg,pp. 1–18.

Briceno, M., Goldberg, I. & Wagner, D. (1999),‘A pedagogical implementation of A5/1’. http://cryptome.org/jya/a51-pi.htm.

Golic, J. (1997), Cryptanalysis of Alleged A5 StreamCipher, in W. Fumy, ed., ‘Advances in Cryptology- EUROCRYPT ’97’, Vol. 1233 of Lecture Notesin Computer Science, Springer Berlin Heidelberg,pp. 239–255.

Gustafson, H. (1996), Statistical analysis of symmet-ric ciphers, PhD thesis, Queensland University ofTechnology.

Lidl, R. & Niederreiter, H. (1997), Finite fields,Vol. 20, Cambridge University Press.

Menezes, A., Van Oorschot, P. & Vanstone, S. (1996),Handbook of applied cryptography, CRC press.

Rukhin, A., Soto, J., Nechvatal, J., Smid, M.,Barker, E., Leigh, S., Levenson, M., Vangel,J., Banks, D., Heckert, A., Dray, J. & Vo,S. (2010), ‘A statistical test suite for randomand pseudorandom number generators for cryp-tographic applications’, NIST, National Instituteof Standards and Technology, Computer SecurityDivision. http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html.

Zhang, H. & Wang, X. (2009), ‘Cryptanalysis ofStream Cipher Grain Family’, Cryptology ePrintArchive, Report 2009/109. http://eprint.iacr.org/.

A Three LFSRs contain all-zeros values

The conditions for the system of equations that resultin all three LFSRs containing all-zero values can bedescribed as follows:

k0 =v0 ⊕ v1 ⊕ v5 ⊕ v6 ⊕ v8 ⊕ v11 ⊕ v18

k1 =v1 ⊕ v2 ⊕ v6 ⊕ v7 ⊕ v9 ⊕ v12 ⊕ v19

k2 =v2 ⊕ v3 ⊕ v7 ⊕ v8 ⊕ v10 ⊕ v13 ⊕ v20

k3 =v3 ⊕ v4 ⊕ v8 ⊕ v9 ⊕ v11 ⊕ v14 ⊕ v21

k4 =v4 ⊕ v5 ⊕ v9 ⊕ v10 ⊕ v12 ⊕ v15

k5 =v5 ⊕ v6 ⊕ v10 ⊕ v11 ⊕ v13 ⊕ v16

k6 =v6 ⊕ v7 ⊕ v11 ⊕ v12 ⊕ v14 ⊕ v17

k7 =v7 ⊕ v8 ⊕ v12 ⊕ v13 ⊕ v15 ⊕ v18

k8 =v0 ⊕ v1 ⊕ v5 ⊕ v6 ⊕ v9 ⊕ v11 ⊕ v13 ⊕ v14 ⊕ v16 ⊕ v18⊕v19

k9 =v1 ⊕ v2 ⊕ v6 ⊕ v7 ⊕ v10 ⊕ v12 ⊕ v14 ⊕ v15 ⊕ v17 ⊕ v19⊕v20

k10 =v2 ⊕ v3 ⊕ v7 ⊕ v8 ⊕ v11 ⊕ v13 ⊕ v15 ⊕ v16 ⊕ v18 ⊕ v20⊕v21

k11 =v3 ⊕ v4 ⊕ v8 ⊕ v9 ⊕ v12 ⊕ v14 ⊕ v16 ⊕ v17 ⊕ v19 ⊕ v21

k12 =v4 ⊕ v5 ⊕ v9 ⊕ v10 ⊕ v13 ⊕ v15 ⊕ v17 ⊕ v18 ⊕ v20

k13 =v5 ⊕ v6 ⊕ v10 ⊕ v11 ⊕ v14 ⊕ v16 ⊕ v18 ⊕ v19 ⊕ v21

k14 =v0 ⊕ v1 ⊕ v5 ⊕ v7 ⊕ v8 ⊕ v12 ⊕ v15 ⊕ v17 ⊕ v18 ⊕ v19⊕v20

k15 =v1 ⊕ v2 ⊕ v6 ⊕ v8 ⊕ v9 ⊕ v13 ⊕ v16 ⊕ v18 ⊕ v19 ⊕ v20⊕v21

k16 =v2 ⊕ v3 ⊕ v7 ⊕ v9 ⊕ v10 ⊕ v14 ⊕ v17 ⊕ v19 ⊕ v20 ⊕ v21

k17 =v0 ⊕ v1 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v10 ⊕ v15 ⊕ v20 ⊕ v21

k18 =v0 ⊕ v2 ⊕ v4 ⊕ v7 ⊕ v8 ⊕ v16 ⊕ v18 ⊕ v21

k19 =v0 ⊕ v3 ⊕ v6 ⊕ v9 ⊕ v11 ⊕ v17 ⊕ v18 ⊕ v19

k20 =v1 ⊕ v4 ⊕ v7 ⊕ v10 ⊕ v12 ⊕ v18 ⊕ v19 ⊕ v20

k21 =v2 ⊕ v5 ⊕ v8 ⊕ v11 ⊕ v13 ⊕ v19 ⊕ v20 ⊕ v21

k22 =v0 ⊕ v1 ⊕ v3 ⊕ v5 ⊕ v8 ⊕ v9 ⊕ v11 ⊕ v12 ⊕ v14 ⊕ v18⊕v20 ⊕ v21

k23 =v0 ⊕ v2 ⊕ v4 ⊕ v5 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13⊕v15 ⊕ v18 ⊕ v19 ⊕ v21

k24 =v1 ⊕ v3 ⊕ v5 ⊕ v6 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v14⊕v16 ⊕ v19 ⊕ v20

k25 =v0 ⊕ v1 ⊕ v2 ⊕ v4 ⊕ v5 ⊕ v7 ⊕ v8 ⊕ v10 ⊕ v12 ⊕ v13⊕v14 ⊕ v15 ⊕ v17 ⊕ v18 ⊕ v20 ⊕ v21

k26 =v0 ⊕ v2 ⊕ v3 ⊕ v9 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v19 ⊕ v21



k29 =v0 ⊕ v1 ⊕ v2 ⊕ v7 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v16 ⊕ v17⊕v19 ⊕ v20

k30 =v0 ⊕ v2 ⊕ v3 ⊕ v5 ⊕ v6 ⊕ v12 ⊕ v13 ⊕ v14 ⊕ v17⊕v20 ⊕ v21

k31 =v1 ⊕ v3 ⊕ v4 ⊕ v6 ⊕ v7 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v18 ⊕ v21

k32 =v2 ⊕ v4 ⊕ v5 ⊕ v7 ⊕ v8 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v19

k33 =v3 ⊕ v5 ⊕ v6 ⊕ v8 ⊕ v9 ⊕ v15 ⊕ v16 ⊕ v17 ⊕ v20

k34 =v4 ⊕ v6 ⊕ v7 ⊕ v9 ⊕ v10 ⊕ v16 ⊕ v17 ⊕ v18 ⊕ v21

k35 =v5 ⊕ v7 ⊕ v8 ⊕ v10 ⊕ v11 ⊕ v17 ⊕ v18 ⊕ v19

k36 =v6 ⊕ v8 ⊕ v9 ⊕ v11 ⊕ v12 ⊕ v18 ⊕ v19 ⊕ v20

k37 =v0 ⊕ v1 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12⊕v13 ⊕ v18 ⊕ v19 ⊕ v20 ⊕ v21



32

k39 =v2 ⊕ v3 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v14⊕v15 ⊕ v20 ⊕ v21


k41 =v0 ⊕ v2 ⊕ v4 ⊕ v7 ⊕ v8 ⊕ v10 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v16⊕v17 ⊕ v18 ⊕ v19

k42 =v1 ⊕ v3 ⊕ v5 ⊕ v8 ⊕ v9 ⊕ v11 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v17⊕v18 ⊕ v19 ⊕ v20

k43 =v0 ⊕ v1 ⊕ v2 ⊕ v4 ⊕ v5 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12⊕v15 ⊕ v16 ⊕ v17 ⊕ v19 ⊕ v20 ⊕ v21

k44 =v0 ⊕ v2 ⊕ v3 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v12 ⊕ v13 ⊕ v16 ⊕ v17⊕v20 ⊕ v21

k45 =v0 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v13 ⊕ v14⊕v17 ⊕ v21

k46 =v0 ⊕ v4 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v14 ⊕ v15

k47 =v1 ⊕ v5 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v15 ⊕ v16

k48 =v2 ⊕ v6 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v16 ⊕ v17

k49 =v0 ⊕ v1 ⊕ v3 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v10 ⊕ v12 ⊕ v13⊕v17

k50 =v1 ⊕ v2 ⊕ v4 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v11 ⊕ v13 ⊕ v14⊕v18

k51 =v2 ⊕ v3 ⊕ v5 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v12 ⊕ v14 ⊕ v15⊕v19

k52 =v3 ⊕ v4 ⊕ v6 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v13 ⊕ v15 ⊕ v16⊕v20

k53 =v4 ⊕ v5 ⊕ v7 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v14 ⊕ v16 ⊕ v17⊕v21

k54 =v5 ⊕ v6 ⊕ v8 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v15 ⊕ v17 ⊕ v18

k55 =v6 ⊕ v7 ⊕ v9 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v14 ⊕ v16 ⊕ v18 ⊕ v19




k59 =v3 ⊕ v4 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v17⊕v18 ⊕ v20 ⊕ v21

k60 =v0 ⊕ v1 ⊕ v4 ⊕ v6 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v14 ⊕ v15 ⊕ v16⊕v17 ⊕ v19 ⊕ v21

k61 =v0 ⊕ v2 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v15 ⊕ v16 ⊕ v17⊕v20

k62 =v0 ⊕ v3 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v9 ⊕ v10 ⊕ v16 ⊕ v17 ⊕ v21

k63 =v0 ⊕ v4 ⊕ v5 ⊕ v7 ⊕ v10 ⊕ v17

B Two LFSRs contain all-zeros values

For two LFSRs contain all-zeros, there are 3 possiblecases of LFSRs that contain all-zeros, as mentionedpreviously, Case 1, 2 and 3 for LFSRs (A,B), (A,C)or (B,C) respectively. The relationship between keyand IV bits that result in two LFSRs containing all-zeros values can be expressed as follows:

Case 1:

To obtain two LFSRs A and B containing all-zero val-ues at the end of loading phase, the following systemof equations must be satisfied:

k0 =k41 ⊕ k44 ⊕ k46 ⊕ k50 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k56⊕k57 ⊕ k59 ⊕ k60 ⊕ k62 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v3 ⊕ v4 ⊕ v8⊕v9 ⊕ v10 ⊕ v11 ⊕ v14 ⊕ v15 ⊕ v18 ⊕ v19 ⊕ v20

k1 =k42 ⊕ k45 ⊕ k47 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k57⊕k58 ⊕ k60 ⊕ k61 ⊕ k63 ⊕ v1 ⊕ v2 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v9⊕v10 ⊕ v11 ⊕ v12 ⊕ v15 ⊕ v16 ⊕ v19 ⊕ v20 ⊕ v21

k2 =k43 ⊕ k46 ⊕ k48 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k58⊕k59 ⊕ k61 ⊕ k62 ⊕ v0 ⊕ v2 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v10⊕v11 ⊕ v12 ⊕ v13 ⊕ v16 ⊕ v17 ⊕ v20 ⊕ v21

k3 =k44 ⊕ k47 ⊕ k49 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k59⊕k60 ⊕ k62 ⊕ k63 ⊕ v1 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v11⊕v12 ⊕ v13 ⊕ v14 ⊕ v17 ⊕ v18 ⊕ v21

k4 =k45 ⊕ k48 ⊕ k50 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k60⊕k61 ⊕ k63 ⊕ v0 ⊕ v2 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v12⊕v13 ⊕ v14 ⊕ v15 ⊕ v18 ⊕ v19

k5 =k46 ⊕ k49 ⊕ k51 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k59 ⊕ k61⊕k62 ⊕ v0 ⊕ v1 ⊕ v3 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v13⊕v14 ⊕ v15 ⊕ v16 ⊕ v19 ⊕ v20


k7 =k48 ⊕ k51 ⊕ k53 ⊕ k57 ⊕ k58 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ k63⊕v0 ⊕ v2 ⊕ v3 ⊕ v5 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v15⊕v16 ⊕ v17 ⊕ v18 ⊕ v21

k8 =k49 ⊕ k52 ⊕ k54 ⊕ k58 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ v0⊕v1 ⊕ v3 ⊕ v4 ⊕ v6 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v16⊕v17 ⊕ v18 ⊕ v19

k9 =k50 ⊕ k53 ⊕ k55 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v1⊕v2 ⊕ v4 ⊕ v5 ⊕ v7 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v17⊕v18 ⊕ v19 ⊕ v20

k10 =k51 ⊕ k54 ⊕ k56 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v2⊕v3 ⊕ v5 ⊕ v6 ⊕ v8 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v14 ⊕ v18⊕v19 ⊕ v20 ⊕ v21

k11 =k52 ⊕ k55 ⊕ k57 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v3⊕v4 ⊕ v6 ⊕ v7 ⊕ v9 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v19⊕v20 ⊕ v21

k12 =k53 ⊕ k56 ⊕ k58 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v4 ⊕ v5⊕v7 ⊕ v8 ⊕ v10 ⊕ v12 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v20 ⊕ v21

k13 =k54 ⊕ k57 ⊕ k59 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v3 ⊕ v5 ⊕ v6⊕v8 ⊕ v9 ⊕ v11 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v17 ⊕ v21

k14 =k41 ⊕ k44 ⊕ k46 ⊕ k50 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55⊕k56 ⊕ k57 ⊕ k58 ⊕ k59 ⊕ k62 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v11⊕v12 ⊕ v16 ⊕ v17 ⊕ v19 ⊕ v20

k15 =k42 ⊕ k45 ⊕ k47 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56⊕k57 ⊕ k58 ⊕ k59 ⊕ k60 ⊕ k63 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v12⊕v13 ⊕ v17 ⊕ v18 ⊕ v20 ⊕ v21

k16 =k43 ⊕ k46 ⊕ k48 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57⊕k58 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ v0 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v13⊕v14 ⊕ v18 ⊕ v19 ⊕ v21

k17 =k41 ⊕ k46 ⊕ k47 ⊕ k49 ⊕ k50 ⊕ k51 ⊕ k52 ⊕ k55 ⊕ k58⊕k61 ⊕ v0 ⊕ v2 ⊕ v3 ⊕ v4 ⊕ v8 ⊕ v18

k18 =k41 ⊕ k42 ⊕ k44 ⊕ k46 ⊕ k47 ⊕ k48 ⊕ k54 ⊕ k57 ⊕ k60⊕v0 ⊕ v2 ⊕ v5 ⊕ v8 ⊕ v10 ⊕ v11 ⊕ v14 ⊕ v15 ⊕ v18 ⊕ v20

k19 =k41 ⊕ k42 ⊕ k43 ⊕ k44 ⊕ k45 ⊕ k46 ⊕ k47 ⊕ k48 ⊕ k49⊕k50 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k58⊕k59 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ v0 ⊕ v2 ⊕ v4 ⊕ v6 ⊕ v8 ⊕ v10⊕v12 ⊕ v14 ⊕ v16 ⊕ v18 ⊕ v20 ⊕ v21


33

k20 =k42 ⊕ k43 ⊕ k44 ⊕ k45 ⊕ k46 ⊕ k47 ⊕ k48 ⊕ k49 ⊕ k50⊕k51 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k59⊕k60 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v1 ⊕ v3 ⊕ v5 ⊕ v7 ⊕ v9 ⊕ v11⊕v13 ⊕ v15 ⊕ v17 ⊕ v19 ⊕ v21

k21 =k41 ⊕ k43 ⊕ k45 ⊕ k47 ⊕ k48 ⊕ k49 ⊕ k55 ⊕ k58 ⊕ k61⊕k63 ⊕ v1 ⊕ v3 ⊕ v6 ⊕ v9 ⊕ v11 ⊕ v12 ⊕ v15 ⊕ v16 ⊕ v19




k25 =k44 ⊕ k45 ⊕ k51 ⊕ k52 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k60⊕k63 ⊕ v4 ⊕ v6 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v14 ⊕ v15 ⊕ v16⊕v17 ⊕ v18 ⊕ v19 ⊕ v20 ⊕ v21

k26 =k45 ⊕ k46 ⊕ k52 ⊕ k53 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k61⊕v0 ⊕ v5 ⊕ v7 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v15 ⊕ v16 ⊕ v17 ⊕ v18⊕v19 ⊕ v20 ⊕ v21

k27 =k46 ⊕ k47 ⊕ k53 ⊕ k54 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k59 ⊕ k62⊕v1 ⊕ v6 ⊕ v8 ⊕ v12 ⊕ v13 ⊕ v14 ⊕ v16 ⊕ v17 ⊕ v18 ⊕ v19⊕v20 ⊕ v21

k28 =k47 ⊕ k48 ⊕ k54 ⊕ k55 ⊕ k57 ⊕ k58 ⊕ k59 ⊕ k60 ⊕ k63⊕v2 ⊕ v7 ⊕ v9 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v17 ⊕ v18 ⊕ v19 ⊕ v20⊕v21

k29 =k48 ⊕ k49 ⊕ k55 ⊕ k56 ⊕ k58 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ v0⊕v3 ⊕ v8 ⊕ v10 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v18 ⊕ v19 ⊕ v20 ⊕ v21

k30 =k49 ⊕ k50 ⊕ k56 ⊕ k57 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ v1⊕v4 ⊕ v9 ⊕ v11 ⊕ v15 ⊕ v16 ⊕ v17 ⊕ v19 ⊕ v20 ⊕ v21

k31 =k50 ⊕ k51 ⊕ k57 ⊕ k58 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v2⊕v5 ⊕ v10 ⊕ v12 ⊕ v16 ⊕ v17 ⊕ v18 ⊕ v20 ⊕ v21

k32 =k51 ⊕ k52 ⊕ k58 ⊕ k59 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v3⊕v6 ⊕ v11 ⊕ v13 ⊕ v17 ⊕ v18 ⊕ v19 ⊕ v21

k33 =k52 ⊕ k53 ⊕ k59 ⊕ k60 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v4 ⊕ v7⊕v12 ⊕ v14 ⊕ v18 ⊕ v19 ⊕ v20

k34 =k53 ⊕ k54 ⊕ k60 ⊕ k61 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v5 ⊕ v8⊕v13 ⊕ v15 ⊕ v19 ⊕ v20 ⊕ v21

k35 =k41 ⊕ k44 ⊕ k46 ⊕ k50 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k55 ⊕ k56⊕k57 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ v4 ⊕ v6 ⊕ v8 ⊕ v10 ⊕ v11 ⊕ v15⊕v16 ⊕ v18 ⊕ v19 ⊕ v21

k36 =k41 ⊕ k42 ⊕ k44 ⊕ k45 ⊕ k46 ⊕ k47 ⊕ k50 ⊕ k58 ⊕ k59⊕k61 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v7 ⊕ v8 ⊕ v10⊕v12 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v17 ⊕ v18

k37 =k42 ⊕ k43 ⊕ k45 ⊕ k46 ⊕ k47 ⊕ k48 ⊕ k51 ⊕ k59 ⊕ k60⊕k62 ⊕ v1 ⊕ v2 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v8 ⊕ v9 ⊕ v11⊕v13 ⊕ v15 ⊕ v16 ⊕ v17 ⊕ v18 ⊕ v19

k38 =k41 ⊕ k43 ⊕ k47 ⊕ k48 ⊕ k49 ⊕ k50 ⊕ k51 ⊕ k53 ⊕ k54⊕k56 ⊕ k57 ⊕ k59 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v5 ⊕ v6⊕v7 ⊕ v8 ⊕ v11 ⊕ v12 ⊕ v15 ⊕ v16 ⊕ v17

k39 =k42 ⊕ k44 ⊕ k48 ⊕ k49 ⊕ k50 ⊕ k51 ⊕ k52 ⊕ k54 ⊕ k55⊕k57 ⊕ k58 ⊕ k60 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v6 ⊕ v7⊕v8 ⊕ v9 ⊕ v12 ⊕ v13 ⊕ v16 ⊕ v17 ⊕ v18

k40 =k43 ⊕ k45 ⊕ k49 ⊕ k50 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k55 ⊕ k56⊕k58 ⊕ k59 ⊕ k61 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v3 ⊕ v7 ⊕ v8⊕v9 ⊕ v10 ⊕ v13 ⊕ v14 ⊕ v17 ⊕ v18 ⊕ v19

Case 2:

The conditions for the system of equations that arerequired to result in LFSRs A and C containing all-zero values after completing loading phase can be ex-pressed as follows:

k0 =k42 ⊕ k44 ⊕ k47 ⊕ k49 ⊕ k50 ⊕ k51 ⊕ k53 ⊕ k54 ⊕ k60⊕k61 ⊕ v0 ⊕ v4 ⊕ v5 ⊕ v7 ⊕ v12 ⊕ v14 ⊕ v17 ⊕ v19 ⊕ v20 ⊕ v21


k2 =k44 ⊕ k46 ⊕ k49 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k55 ⊕ k56 ⊕ k62⊕k63 ⊕ v2 ⊕ v6 ⊕ v7 ⊕ v9 ⊕ v14 ⊕ v16 ⊕ v19 ⊕ v21

k3 =k45 ⊕ k47 ⊕ k50 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k56 ⊕ k57 ⊕ k63⊕v0 ⊕ v3 ⊕ v7 ⊕ v8 ⊕ v10 ⊕ v15 ⊕ v17 ⊕ v20

k4 =k46 ⊕ k48 ⊕ k51 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k57 ⊕ k58 ⊕ v0 ⊕ v1⊕v4 ⊕ v8 ⊕ v9 ⊕ v11 ⊕ v16 ⊕ v18 ⊕ v21

k5 =k47 ⊕ k49 ⊕ k52 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k58 ⊕ k59 ⊕ v1⊕v2 ⊕ v5 ⊕ v9 ⊕ v10 ⊕ v12 ⊕ v17 ⊕ v19



k8 =k42 ⊕ k44 ⊕ k47 ⊕ k49 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55⊕k57 ⊕ k58 ⊕ k59 ⊕ k60 ⊕ k62 ⊕ v0 ⊕ v7 ⊕ v8 ⊕ v13 ⊕ v14⊕v15 ⊕ v17 ⊕ v19 ⊕ v21

k9 =k43 ⊕ k45 ⊕ k48 ⊕ k50 ⊕ k52 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56⊕k58 ⊕ k59 ⊕ k60 ⊕ k61 ⊕ k63 ⊕ v1 ⊕ v8 ⊕ v9 ⊕ v14⊕v15 ⊕ v16 ⊕ v18 ⊕ v20

k10 =k44 ⊕ k46 ⊕ k49 ⊕ k51 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57⊕k59 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ v0 ⊕ v2 ⊕ v9 ⊕ v10 ⊕ v15⊕v16 ⊕ v17 ⊕ v19 ⊕ v21

k11 =k45 ⊕ k47 ⊕ k50 ⊕ k52 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k58⊕k60 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v1 ⊕ v3 ⊕ v10 ⊕ v11 ⊕ v16⊕v17 ⊕ v18 ⊕ v20

k12 =k46 ⊕ k48 ⊕ k51 ⊕ k53 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k59⊕k61 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v2 ⊕ v4 ⊕ v11 ⊕ v12 ⊕ v17⊕v18 ⊕ v19 ⊕ v21

k13 =k47 ⊕ k49 ⊕ k52 ⊕ k54 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k59 ⊕ k60⊕k62 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v3 ⊕ v5 ⊕ v12 ⊕ v13 ⊕ v18⊕v19 ⊕ v20

k14 =k42 ⊕ k44 ⊕ k47 ⊕ k48 ⊕ k49 ⊕ k51 ⊕ k54 ⊕ k55 ⊕ k57⊕k58 ⊕ k59 ⊕ k63 ⊕ v1 ⊕ v2 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v12 ⊕ v13⊕v17

k15 =k43 ⊕ k45 ⊕ k48 ⊕ k49 ⊕ k50 ⊕ k52 ⊕ k55 ⊕ k56 ⊕ k58⊕k59 ⊕ k60 ⊕ v0 ⊕ v2 ⊕ v3 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v13 ⊕ v14⊕v18

k16 =k44 ⊕ k46 ⊕ k49 ⊕ k50 ⊕ k51 ⊕ k53 ⊕ k56 ⊕ k57 ⊕ k59⊕k60 ⊕ k61 ⊕ v1 ⊕ v3 ⊕ v4 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v14 ⊕ v15⊕v19

k17 =k42 ⊕ k44 ⊕ k45 ⊕ k49 ⊕ k52 ⊕ k53 ⊕ k57 ⊕ k58 ⊕ k62⊕v0 ⊕ v2 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v12 ⊕ v14 ⊕ v15 ⊕ v16⊕v17 ⊕ v19 ⊕ v21

k18 =k42 ⊕ k43 ⊕ k44 ⊕ k45 ⊕ k46 ⊕ k47 ⊕ k49 ⊕ k51 ⊕ k58⊕k59 ⊕ k60 ⊕ k61 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v7⊕v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v16⊕v18 ⊕ v19 ⊕ v21


34

k19 =k42 ⊕ k43 ⊕ k45 ⊕ k46 ⊕ k48 ⊕ k49 ⊕ k51 ⊕ k52 ⊕ k53⊕k54 ⊕ k59 ⊕ k62 ⊕ v1 ⊕ v2 ⊕ v6 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10⊕v11 ⊕ v13 ⊕ v15 ⊕ v16 ⊕ v21

k20 =k43 ⊕ k44 ⊕ k46 ⊕ k47 ⊕ k49 ⊕ k50 ⊕ k52 ⊕ k53 ⊕ k54⊕k55 ⊕ k60 ⊕ k63 ⊕ v2 ⊕ v3 ⊕ v7 ⊕ v8 ⊕ v9 ⊕ v10 ⊕ v11⊕v12 ⊕ v14 ⊕ v16 ⊕ v17

k21 =k42 ⊕ k45 ⊕ k48 ⊕ k49 ⊕ k55 ⊕ k56 ⊕ k60 ⊕ v3 ⊕ v5 ⊕ v7⊕v8 ⊕ v9 ⊕ v10 ⊕ v11 ⊕ v13 ⊕ v14 ⊕ v15 ⊕ v18 ⊕ v19⊕v20 ⊕ v21

k22 =k43 ⊕ k46 ⊕ k49 ⊕ k50 ⊕ k56 ⊕ k57 ⊕ k61 ⊕ v4 ⊕ v6 ⊕ v8⊕v9 ⊕ v10 ⊕ v11 ⊕ v12 ⊕ v14 ⊕ v15 ⊕ v16 ⊕ v19 ⊕ v20 ⊕ v21



k25 =k42 ⊕ k47 ⊕ k49 ⊕ k50 ⊕ k53 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k59⊕k61 ⊕ k62 ⊕ k63 ⊕ v2 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v11 ⊕ v13⊕v14 ⊕ v15 ⊕ v16 ⊕ v18 ⊕ v19 ⊕ v20

k26 =k42 ⊕ k43 ⊕ k44 ⊕ k47 ⊕ k48 ⊕ k49 ⊕ k53 ⊕ k55 ⊕ k56⊕k57 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v3 ⊕ v4 ⊕ v6 ⊕ v8 ⊕ v15 ⊕ v16

k27 =k42 ⊕ k43 ⊕ k45 ⊕ k47 ⊕ k48 ⊕ k51 ⊕ k53 ⊕ k56 ⊕ k57⊕k58 ⊕ k60 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v9 ⊕ v12 ⊕ v14 ⊕ v16⊕v19 ⊕ v20 ⊕ v21

k28 =k43 ⊕ k44 ⊕ k46 ⊕ k48 ⊕ k49 ⊕ k52 ⊕ k54 ⊕ k57 ⊕ k58⊕k59 ⊕ k61 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v10 ⊕ v13 ⊕ v15 ⊕ v17⊕v20 ⊕ v21

k29 =k44 ⊕ k45 ⊕ k47 ⊕ k49 ⊕ k50 ⊕ k53 ⊕ k55 ⊕ k58 ⊕ k59⊕k60 ⊕ k62 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v11 ⊕ v14 ⊕ v16 ⊕ v18 ⊕ v21

k30 =k45 ⊕ k46 ⊕ k48 ⊕ k50 ⊕ k51 ⊕ k54 ⊕ k56 ⊕ k59 ⊕ k60⊕k61 ⊕ k63 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v12 ⊕ v15 ⊕ v17 ⊕ v19





k35 =k42 ⊕ k44 ⊕ k47 ⊕ k49 ⊕ k54 ⊕ k55 ⊕ k56 ⊕ k59 ⊕ k60⊕v1 ⊕ v2 ⊕ v6 ⊕ v12 ⊕ v14 ⊕ v19 ⊕ v21

k36 =k42 ⊕ k43 ⊕ k44 ⊕ k45 ⊕ k47 ⊕ k48 ⊕ k49 ⊕ k51 ⊕ k53⊕k54 ⊕ k55 ⊕ k56 ⊕ k57 ⊕ v0 ⊕ v2 ⊕ v3 ⊕ v4 ⊕ v5 ⊕ v12⊕v13 ⊕ v14 ⊕ v15 ⊕ v17 ⊕ v19 ⊕ v21

k37 =k42 ⊕ k43 ⊕ k45 ⊕ k46 ⊕ k47 ⊕ k48 ⊕ k51 ⊕ k52 ⊕ k53⊕k55 ⊕ k56 ⊕ k57 ⊕ k58 ⊕ k60 ⊕ k61 ⊕ v0 ⊕ v1 ⊕ v3 ⊕ v6⊕v7 ⊕ v12 ⊕ v13 ⊕ v15 ⊕ v16 ⊕ v17 ⊕ v18 ⊕ v19 ⊕ v21

k38 =k42 ⊕ k43 ⊕ k46 ⊕ k48 ⊕ k50 ⊕ k51 ⊕ k52 ⊕ k56 ⊕ k57⊕k58 ⊕ k59 ⊕ k60 ⊕ k62 ⊕ v0 ⊕ v1 ⊕ v2 ⊕ v5 ⊕ v8 ⊕ v12⊕v13 ⊕ v16 ⊕ v18 ⊕ v21

k39 =k43 ⊕ k44 ⊕ k47 ⊕ k49 ⊕ k51 ⊕ k52 ⊕ k53 ⊕ k57 ⊕ k58⊕k59 ⊕ k60 ⊕ k61 ⊕ k63 ⊕ v1 ⊕ v2 ⊕ v3 ⊕ v6 ⊕ v9 ⊕ v13⊕v14 ⊕ v17 ⊕ v19

k40 =k42 ⊕ k45 ⊕ k47 ⊕ k48 ⊕ k49 ⊕ k51 ⊕ k52 ⊕ k58 ⊕ k59⊕k62 ⊕ v2 ⊕ v3 ⊕ v5 ⊕ v10 ⊕ v12 ⊕ v15 ⊕ v17 ⊕ v18⊕v19 ⊕ v21


Case 3:

The system of equations that is required to result inLFSRs B and C containing all-zero values can be ex-pressed as follows:

k0 =k45 ⊕ k48 ⊕ k51 ⊕ k54 ⊕ k57 ⊕ k61 ⊕ k63 ⊕ v5 ⊕ v13⊕v14 ⊕ v16 ⊕ v17 ⊕ v18

k1 =k46 ⊕ k49 ⊕ k52 ⊕ k55 ⊕ k58 ⊕ k62 ⊕ v0 ⊕ v6 ⊕ v14⊕v15 ⊕ v17 ⊕ v18 ⊕ v19

k2 =k47 ⊕ k50 ⊕ k53 ⊕ k56 ⊕ k59 ⊕ k63 ⊕ v1 ⊕ v7 ⊕ v15⊕v16 ⊕ v18 ⊕ v19 ⊕ v20

k3 =k48 ⊕ k51 ⊕ k54 ⊕ k57 ⊕ k60 ⊕ v0 ⊕ v2 ⊕ v8 ⊕ v16⊕v17 ⊕ v19 ⊕ v20 ⊕ v21

k4 =k49 ⊕ k52 ⊕ k55 ⊕ k58 ⊕ k61 ⊕ v1 ⊕ v3 ⊕ v9 ⊕ v17⊕v18 ⊕ v20 ⊕ v21

k5 =k50 ⊕ k53 ⊕ k56 ⊕ k59 ⊕ k62 ⊕ v2 ⊕ v4 ⊕ v10 ⊕ v18⊕v19 ⊕ v21

k6 =k51 ⊕ k54 ⊕ k57 ⊕ k60 ⊕ k63 ⊕ v3 ⊕ v5 ⊕ v11 ⊕ v19⊕v20

k7 =k52 ⊕ k55 ⊕ k58 ⊕ k61 ⊕ v0 ⊕ v4 ⊕ v6 ⊕ v12 ⊕ v20 ⊕ v21

k8 =k45 ⊕ k48 ⊕ k51 ⊕ k53 ⊕ k54 ⊕ k56 ⊕ k57 ⊕ k59 ⊕ k61⊕k62 ⊕ k63 ⊕ v1 ⊕ v7 ⊕ v14 ⊕ v16 ⊕ v17 ⊕ v18 ⊕ v21

k9 =k46 ⊕ k49 ⊕ k52 ⊕ k54 ⊕ k55 ⊕ k57 ⊕ k58 ⊕ k60 ⊕ k62⊕k63 ⊕ v0 ⊕ v2 ⊕ v8 ⊕ v15 ⊕ v17 ⊕ v18 ⊕ v19




k13 =k50 ⊕ k53 ⊕ k56 ⊕ k58 ⊕ k59 ⊕ k61 ⊕ k62 ⊕ v0 ⊕ v2⊕v3 ⊕ v4 ⊕ v6 ⊕ v12 ⊕ v19 ⊕ v21

k14 =k51 ⊕ k54 ⊕ k57 ⊕ k59 ⊕ k60 ⊕ k62 ⊕ k63 ⊕ v1 ⊕ v3⊕v4 ⊕ v5 ⊕ v7 ⊕ v13 ⊕ v20

k15 =k52 ⊕ k55 ⊕ k58 ⊕ k60 ⊕ k61 ⊕ k63 ⊕ v0 ⊕ v2 ⊕ v4⊕v5 ⊕ v6 ⊕ v8 ⊕ v14 ⊕ v21

k16 =k53 ⊕ k56 ⊕ k59 ⊕ k61 ⊕ k62 ⊕ v0 ⊕ v1 ⊕ v3 ⊕ v5⊕v6 ⊕ v7 ⊕ v9 ⊕ v15

k17 =k54 ⊕ k57 ⊕ k60 ⊕ k62 ⊕ k63 ⊕ v1 ⊕ v2 ⊕ v4 ⊕ v6⊕v7 ⊕ v8 ⊕ v10 ⊕ v16

k18 =k55 ⊕ k58 ⊕ k61 ⊕ k63 ⊕ v0 ⊕ v2 ⊕ v3 ⊕ v5 ⊕ v7⊕v8 ⊕ v9 ⊕ v11 ⊕ v17

k19 =k56 ⊕ k59 ⊕ k62 ⊕ v0 ⊕ v1 ⊕ v3 ⊕ v4 ⊕ v6 ⊕ v8 ⊕ v9⊕v10 ⊕ v12 ⊕ v18

k20 =k57 ⊕ k60 ⊕ k63 ⊕ v1 ⊕ v2 ⊕ v4 ⊕ v5 ⊕ v7 ⊕ v9 ⊕ v10⊕v11 ⊕ v13 ⊕ v19

k21 =k58 ⊕ k61 ⊕ v0 ⊕ v2 ⊕ v3 ⊕ v5 ⊕ v6 ⊕ v8 ⊕ v10 ⊕ v11⊕v12 ⊕ v14 ⊕ v20

k22 =k59 ⊕ k62 ⊕ v1 ⊕ v3 ⊕ v4 ⊕ v6 ⊕ v7 ⊕ v9 ⊕ v11 ⊕ v12⊕v13 ⊕ v15 ⊕ v21




k26 =k48 ⊕ k51 ⊕ k54 ⊕ k57 ⊕ k60 ⊕ k63 ⊕ v0 ⊕ v5 ⊕ v7⊕v10 ⊕ v11 ⊕ v13 ⊕ v15 ⊕ v20 ⊕ v21


35

k27 =k49 ⊕ k52 ⊕ k55 ⊕ k58 ⊕ k61 ⊕ v0 ⊕ v1 ⊕ v6 ⊕ v8⊕v11 ⊕ v12 ⊕ v14 ⊕ v16 ⊕ v21

k28 =k50 ⊕ k53 ⊕ k56 ⊕ k59 ⊕ k62 ⊕ v1 ⊕ v2 ⊕ v7 ⊕ v9⊕v12 ⊕ v13 ⊕ v15 ⊕ v17

k29 =k45 ⊕ k48 ⊕ k60 ⊕ k61 ⊕ v2 ⊕ v3 ⊕ v5 ⊕ v8 ⊕ v10 ⊕ v17


k31 =k46 ⊕ k47 ⊕ k49 ⊕ k50 ⊕ k52 ⊕ k55 ⊕ k58 ⊕ k63 ⊕ v0⊕v4 ⊕ v5 ⊕ v6 ⊕ v7 ⊕ v10 ⊕ v12 ⊕ v14 ⊕ v15 ⊕ v17 ⊕ v18

k32 =k47 ⊕ k48 ⊕ k50 ⊕ k51 ⊕ k53 ⊕ k56 ⊕ k59 ⊕ v0 ⊕ v1 ⊕ v5⊕v6 ⊕ v7 ⊕ v8 ⊕ v11 ⊕ v13 ⊕ v15 ⊕ v16 ⊕ v18 ⊕ v19



k35 =k50 ⊕ k51 ⊕ k53 ⊕ k54 ⊕ k56 ⊕ k59 ⊕ k62 ⊕ v3 ⊕ v4 ⊕ v8⊕v9 ⊕ v10 ⊕ v11 ⊕ v14 ⊕ v16 ⊕ v18 ⊕ v19 ⊕ v21

k36 =k51 ⊕ k52 ⊕ k54 ⊕ k55 ⊕ k57 ⊕ k60 ⊕ k63 ⊕ v4 ⊕ v5 ⊕ v9⊕v10 ⊕ v11 ⊕ v12 ⊕ v15 ⊕ v17 ⊕ v19 ⊕ v20

k37 =k52 ⊕ k53 ⊕ k55 ⊕ k56 ⊕ k58 ⊕ k61 ⊕ v0 ⊕ v5 ⊕ v6 ⊕ v10⊕v11 ⊕ v12 ⊕ v13 ⊕ v16 ⊕ v18 ⊕ v20 ⊕ v21

k38 =k53 ⊕ k54 ⊕ k56 ⊕ k57 ⊕ k59 ⊕ k62 ⊕ v1 ⊕ v6 ⊕ v7 ⊕ v11⊕v12 ⊕ v13 ⊕ v14 ⊕ v17 ⊕ v19 ⊕ v21

k39 =k54 ⊕ k55 ⊕ k57 ⊕ k58 ⊕ k60 ⊕ k63 ⊕ v2 ⊕ v7 ⊕ v8 ⊕ v12⊕v13 ⊕ v14 ⊕ v15 ⊕ v18 ⊕ v20

k40 =k55 ⊕ k56 ⊕ k58 ⊕ k59 ⊕ k61 ⊕ v0 ⊕ v3 ⊕ v8 ⊕ v9 ⊕ v13⊕v14 ⊕ v15 ⊕ v16 ⊕ v19 ⊕ v21

k41 =k56 ⊕ k57 ⊕ k59 ⊕ k60 ⊕ k62 ⊕ v1 ⊕ v4 ⊕ v9 ⊕ v10 ⊕ v14⊕v15 ⊕ v16 ⊕ v17 ⊕ v20

k42 =k45 ⊕ k48 ⊕ k51 ⊕ k54 ⊕ k58 ⊕ k60 ⊕ v2 ⊕ v10 ⊕ v11⊕v13 ⊕ v14 ⊕ v15 ⊕ v21

k43 =k46 ⊕ k49 ⊕ k52 ⊕ k55 ⊕ k59 ⊕ k61 ⊕ v3 ⊕ v11 ⊕ v12⊕v14 ⊕ v15 ⊕ v16

k44 =k47 ⊕ k50 ⊕ k53 ⊕ k56 ⊕ k60 ⊕ k62 ⊕ v4 ⊕ v12 ⊕ v13⊕v15 ⊕ v16 ⊕ v17


36

weak key-iv pairs in the a5/1 stream cipher - crpitcrpit.com/confpapers/crpitv149alhamdan.pdf ·...

Documents